How Poor Medical Device Security Threatens Us, and What We Need to Do to Fix It

When you enter a hospital, your eyes and ears fill with the flashing lights and beeps of the medical devices helping deliver state-of-the-art medical care to sick patients. There are heart-rate monitors, infusion pumps, radiology machines, ventilators, and so on, all hooked up to the hospital’s computer network and enabling nurses and doctors to monitor their patients’ status from a station down the hall.

All of this technology allows the medical system to deliver better care to more patients, alerting nurses when something is about to go wrong, saving patients’ lives and allowing hospitals to serve more patients with fewer staff resources. Technology has given us many of the most important advances in modern medical care. But, as Bloomberg Businessweek recently reported, many of these critical Internet of Things (IoT) enabled medical devices have significant security gaps that put patients, hospitals and device makers at serious risk.

Bloomberg authors Monte Reel and Jordan Robertson profiled Billy Rios, a white-hat hacker who is hired by the likes of Google, Microsoft, defense contractors, utilities and government security agencies to uncover security flaws in their systems before the bad guys find and exploit them. Rios was part of a team hired by Mayo Clinic to unearth vulnerabilities in their medical system. Rios was shocked by what they found.

“Every day, it was like every device on the menu got crushed,” Rios told Bloomberg Businessweek. “It was all bad. Really, really bad.” Authors Reel and Robertson wrote, “The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many – defenseless operating systems, generic passwords that couldn’t be changed, and so on.”

Bad-actor hackers could have used the security gaps to change the devices’ operations – for example, dumping an entire vial of insulin into a patient’s bloodstream at once, which would probably kill the person. Somewhat fortunately, medical device hackers appear to be interested in the same thing most hackers want – your personal data to exploit and make money off of. (That’s not to say they’ll never try to exploit their ability to take our health and our lives.)

Last year, TrapX Security found that every one of more than 60 hospitals it studied had malware-infected medical devices. Hackers could inject malware throughout a hospital’s network and into medical devices which, unlike regular computers on the network, aren’t protected with antivirus software. From there, the hackers could scrape the devices to steal patients’ personal medical data which can used “to establish false identities and lines of credit, to conduct insurance fraud or even for blackmail,” said Bloomberg Businessweek.

Fortunately, thanks to people like Billy Rios, device makers, federal regulators and the health care industry are tuning into the problem and working with technology companies to strengthen device security. And I’m proud that BlackBerry is taking a leadership role on the issue, helping to protect us and our data.

David Kleidermacher, BlackBerry’s Chief Security Officer, has been working with experts from the U.S. Food and Drug Administration, Department of Health and Human Services, National Institutes of Health, Health Canada, academic researchers, physicians, device manufacturers and others. They’ve co-authored a draft cybersecurity standard aimed at shoring up medical device security across all platforms. As David recently told CNN, “you can’t raise the cybersecurity bar if you don’t know how to measure its height.” One aim of the medical device standard is to set that bar and work with device manufacturers and users to consistently achieve it.

I think we’re on the cusp of great things for medical device security, for protecting ourselves and for re-establishing trust with device makers and the hospitals that use them.

Have you read the Bloomberg Businessweek article? What do you think should be the priorities for medical device security? And what where would you like BlackBerry to focus its efforts? Please share your thoughts in the comments below.

Security standards around connected medical devices are woefully lacking, but that’s about to change. Don’t miss the unveiling of DTSec, the first consensus cybersecurity standard for medical devices with security and assurance requirements, by BlackBerry Chief Security Officer David Kleidermacher. It’ll happen May 23-24 atMEDSec 2016, the first international conference covering security and privacy for the Internet of Medical Things. Learn more and register today atMEDSecMeeting.org.

About Mark Wilson

Mark Wilson is the Chief Marketing Officer for BlackBerry, where he leads the company’s corporate, product and field marketing functions. Mark brings with him extensive experience building brand preference, driving integrated marketing for a number of well-known companies. Prior to joining BlackBerry, Mark served as CMO at Avaya. He previously held senior marketing positions at SAP and Sybase, and gained extensive marketing and consulting experience at AT&T, KPMG Consulting and the San Francisco Consulting Group.

The views expressed on any corporate or individual's personal website or any Twitter account are not necessarily those of BlackBerry. The user's Twitter account and/or personal website, any corporate website, or any comments contained on any of the foregoing have not been reviewed by BlackBerry and do not constitute an endorsement by BlackBerry.